Pentesting Checklists

API Testing Checklist

This comprehensive API testing checklist covers critical security aspects to consider when evaluating the safety of your API. Each item includes a description, practical examples using common penetration testing tools, prevention measures, and additional resources for in-depth learning.

Authentication and Authorization Testing
Ensure that the API properly authenticates users and enforces appropriate access controls.

  • Burp Suite

    Use Burp Suite's Repeater to modify authentication tokens and test for vulnerabilities.

    GitHub Page

    Intercept and modify API requests to test various authentication scenarios.

  • OWASP ZAP

    zap-cli quick-scan --self-contained --start-options '-config api.disablekey=true' https://api.example.com

    GitHub Page

    Perform a quick automated scan of the API endpoints for common vulnerabilities.

  • JWT_Tool

    python3 jwt_tool.py <your_jwt_token> -T

    GitHub Page

    Analyze and test JWT tokens for weaknesses in the authentication mechanism.

  • OAuth2-Proxy

    oauth2-proxy --config=oauth2-proxy.cfg

    GitHub Page

    Set up a proxy to test OAuth2 implementations and identify potential misconfigurations.

Input Validation and Sanitization
Check if the API properly validates and sanitizes input to prevent injection attacks and other security issues.

  • SQLMap

    sqlmap -u "https://api.example.com/endpoint?id=1" --batch --random-agent

    GitHub Page

    Automatically test for SQL injection vulnerabilities in API parameters.

  • Postman

    Use Postman to send requests with various payloads to test input validation.

    GitHub Page

    Manually craft requests with special characters, large payloads, and unexpected data types.

  • NoSQLMap

    python nosqlmap.py -u https://api.example.com/endpoint

    GitHub Page

    Test for NoSQL injection vulnerabilities in APIs using MongoDB or other NoSQL databases.

  • Arjun

    arjun -u https://api.example.com/endpoint -m GET

    GitHub Page

    Discover hidden API parameters that might be vulnerable to injection attacks.

Rate Limiting and Resource Management
Test the API's ability to handle high volumes of requests and prevent abuse through proper rate limiting.

  • Apache JMeter

    jmeter -n -t api_load_test.jmx -l results.jtl

    GitHub Page

    Perform load testing to identify potential rate limiting issues and API performance under stress.

  • Siege

    siege -c 100 -t 1M https://api.example.com/endpoint

    GitHub Page

    Stress test the API to check for proper rate limiting and resource management.

  • Gatling

    gatling.sh -s ApiLoadTest

    GitHub Page

    Execute high-concurrency load tests to evaluate API rate limiting effectiveness.

Error Handling and Information Disclosure
Check if the API properly handles errors and does not disclose sensitive information in error messages.

  • Burp Suite Intruder

    Use Burp Suite Intruder to send various malformed requests and analyze error responses.

    GitHub Page

    Test API endpoints with different inputs to trigger and analyze error responses.

  • Custom Python Script

    python error_testing_script.py https://api.example.com

    Use a custom script to automate sending various error-inducing requests and analyze responses.

  • OWASP ZAP

    Use ZAP's Active Scan with custom scripts for error handling checks

    GitHub Page

    Automate the process of testing API error handling and information disclosure.

Data Encryption and Protection
Ensure that sensitive data is properly encrypted in transit and at rest, and that proper key management is in place.

  • OpenSSL

    openssl s_client -connect api.example.com:443 -tls1_2

    Test the SSL/TLS configuration of the API endpoint and check for proper encryption.

  • Burp Suite

    Use Burp Suite to intercept API traffic and verify proper use of HTTPS.

    GitHub Page

    Analyze API requests and responses to ensure sensitive data is encrypted in transit.

  • SSLyze

    sslyze --regular api.example.com:443

    GitHub Page

    Perform comprehensive SSL/TLS configuration analysis on the API endpoint.

API Versioning and Deprecation
Check if the API implements proper versioning and has a clear deprecation policy to maintain backward compatibility and security.

  • Postman

    Use Postman to test different API versions and deprecated endpoints

    GitHub Page

    Create collections for different API versions and test for consistency and deprecation notices.

  • Custom Script

    python api_version_checker.py https://api.example.com

    Use a custom script to automate checking of API versions and deprecated endpoints.

  • API Spec Diff

    api-spec-diff old_spec.json new_spec.json

    GitHub Page

    Compare different versions of API specifications to identify changes and potential breaking updates.

API Documentation and Specification
Ensure that the API is well-documented and has a clear, up-to-date specification that accurately reflects its functionality and security measures.

  • Swagger UI

    docker run -p 80:8080 swaggerapi/swagger-ui

    GitHub Page

    Use Swagger UI to visualize and interact with the API's resources without having direct access to the implementation.

  • Redoc

    npx redoc-cli serve openapi.yaml

    GitHub Page

    Generate interactive API documentation from OpenAPI (Swagger) definitions.

  • Dredd

    dredd api-description.yml http://api.example.com

    GitHub Page

    Validate API documentation against its backend implementation.

API Security Headers
Test if the API implements appropriate security headers to protect against common web vulnerabilities and enhance overall security.

  • OWASP ZAP

    zap-cli quick-scan --self-contained --start-options '-config api.disablekey=true' https://api.example.com

    GitHub Page

    Scan the API for missing or misconfigured security headers.

  • SecurityHeaders.com

    Visit https://securityheaders.com and enter your API endpoint

    Online tool to quickly assess the security headers of your API.

  • curl

    curl -I https://api.example.com

    Manually inspect the headers returned by the API.

API Fuzzing
Perform fuzz testing on the API to identify potential vulnerabilities, unexpected behaviors, and edge cases that could lead to security issues.

  • API Fuzzer

    apifuzzer --url https://api.example.com/endpoint --method POST --data '{"key": "value"}'

    GitHub Page

    Automated tool to perform fuzz testing on API endpoints.

  • Burp Suite Intruder

    Use Burp Suite's Intruder feature with various payload sets

    GitHub Page

    Customize and automate API fuzzing attacks using Burp Suite.

  • Sulley

    python sulley_script.py

    GitHub Page

    Create custom fuzzing scripts to test API robustness and security.

API Authentication Mechanisms
Evaluate and test the various authentication mechanisms used by the API to ensure they are implemented securely and effectively.

  • OAuth 2.0 Debugger

    Visit https://oauthdebugger.com/ and input your OAuth 2.0 parameters

    Online tool to debug and test OAuth 2.0 flows.

  • JWT Debugger

    Visit https://jwt.io/ and paste your JWT token

    Decode and verify JWT tokens used for API authentication.

  • Postman

    Use Postman's Authorization tab to test different auth mechanisms

    GitHub Page

    Test various authentication methods including API keys, OAuth, and JWT.

© 2023 Pentesting Checklists by RFS. All rights reserved.